Brand impersonation: Square

calendar Oct 16, 2025  ยท
Share on: linkedin copy

Impersonation of Square, typically containing security-related language, secure message notifications, or credential theft indicators from unauthorized senders.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Square"
 2description: "Impersonation of Square, typically containing security-related language, secure message notifications, or credential theft indicators from unauthorized senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // levenshtein distance similar to Square
 9    (
10      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
11                           'square'
12      ) <= 1
13      and sender.display_name not in ("SquareX")
14    )
15    or any(ml.logo_detect(file.message_screenshot()).brands,
16           .name == "Square" and .confidence == "high"
17    )
18  )
19  and (
20    (
21      any(ml.nlu_classifier(body.current_thread.text).topics,
22          .name in (
23            "Security and Authentication",
24            "Secure Message",
25            "Reminders and Notifications"
26          )
27          and .confidence in ("medium", "high")
28      )
29      and not any(ml.nlu_classifier(body.current_thread.text).topics,
30                  .name in ("Newsletters and Digests", "Entertainment and Sports")
31                  and .confidence in ("medium", "high")
32      )
33    )
34    or (
35      any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
36          .name in (
37            "Security and Authentication",
38            "Secure Message",
39            "Reminders and Notifications"
40          )
41          and .confidence in ("medium", "high")
42          and beta.ocr(file.message_screenshot()).text != ""
43      )
44      and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
45                  .name in ("Newsletters and Digests", "Entertainment and Sports")
46                  and .confidence in ("medium", "high")
47      )
48    )
49    or any(ml.nlu_classifier(body.current_thread.text).intents,
50           .name == "cred_theft" and .confidence == "high"
51    )
52    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
53           .name == "cred_theft" and .confidence == "high"
54    )
55  )
56  
57  // and the sender is not in org_domains or from Square domains and passes auth
58  and not (
59    sender.email.domain.root_domain in $org_domains
60    or (
61      sender.email.domain.root_domain in (
62        "square.com",
63        "squareup.com",
64        "block.com"
65      )
66      and headers.auth_summary.dmarc.pass
67    )
68  )
69  // and the sender is not from high trust sender root domains
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )
77  and (
78    not profile.by_sender().solicited
79    or not headers.auth_summary.dmarc.pass
80    or not headers.auth_summary.spf.pass
81  )  
82
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Impersonation: Brand"
87  - "Social engineering"
88detection_methods:
89  - "Computer Vision"
90  - "Content analysis"
91  - "Header analysis"
92  - "Natural Language Understanding"
93  - "Optical Character Recognition"
94  - "Sender analysis"
95id: "63f9b449-b2f3-50be-a284-5448b8f75ebf"
to-top